WordPress has been one of the leading content management systems (CMS) for more than a decade. Many of the Internet’s largest blogs, as well as a host of small, individual sites, run on WordPress for publishing text, image and video content.
A WordPress website has both a front-end and a back-end interface. The front-end provides an output that external visitors will see when they load the Web page. The back-end is accessible to site administrators and staff responsible for drafting, designing and publishing content.
Like any other Internet-based system, WordPress is a target of hacking attempts and other forms of cybercrime. That makes sense, since more than 32% of the Internet now runs on WordPress. In this article, we will discuss some of the most common WordPress attacks on the software and then offer some suggestions for security.
Methods for common WordPress attacks
First, let’s look at the common attacks that WordPress owners may encounter.
1. SQL Injection
The WordPress CMS platform relies on a database layer that stores metadata information and other administrative information. For example, a typical SQL-based WordPress database contains user information, content information and site configuration data.
When a hacker performs an SQL injection attack, they use a request parameter, either via an input field or a URL, to execute a custom database command. A “SELECT” query allows the hacker to view additional information from the database, while an “UPDATE” query allows them to actually modify data.
In 2011, a network security company called Barracuda Networks fell victim to an SQL injection attack. The hackers ran a series of commands throughout the Barracuda website and eventually found a vulnerable page that could be used as a portal to the company’s primary database.
2. Cross-site Scripting
A cross-site scripting attack, also known as XSS, is similar to SQL injection and accepts that it targets the JavaScript elements on a Web page rather than the database behind the application. A successful attack could result in a remote visitor’s private information being compromised.
With an XSS attack, the hacker adds JavaScript code to a website via a comment box or other text entry, and then that malicious script is executed when other users visit the page. The fraudulent JavaScript usually directs users to a fraudulent website that will attempt to steal their password or other identifying information.
Even popular websites such as eBay can be targeted by XSS attacks. In the past, hackers have successfully added malicious code to product pages and convinced customers to sign in to a fake Web page.
3. Command Injection
Platforms such as WordPress operate on three primary layers: the Web server, the application server and the database server. But each of these servers runs on hardware with a specific operating system, such as Microsoft Windows or open-source Linux, and that is a separate potentially vulnerable area.
With a command injection attack, a hacker will enter malicious information into a text field or URL, similar to an SQL injection. The difference is that the code contains a command recognized only by operating systems, such as the command “ls. When executed, a list of all files and folders on the host server is displayed.
Certain Internet cameras appear to be particularly vulnerable to command injection attacks. Their firmware can falsely expose the system configuration to remote users when a fraudulent command is issued.
4. File Inclusion
Common code languages for the Web, such as PHP and Java, allow programmers to reference external files and scripts from within their code. The include command is the generic name for this type of activity.
In certain situations, a hacker can manipulate the URL of a Web site to compromise the “include” section of the code and gain access to other parts of the application server. Certain plug-ins for the WordPress platform were found to be vulnerable to file inclusion attacks. When such hacks occur, the infiltrator can gain access to all data on the primary application server.
Tips for protection
Now that you know what to look out for, here are a few simple ways to improve your WordPress security. Obviously, there are many more ways to secure your site than those listed below, but these are relatively simple methods to start with that will yield impressive returns for hackers thwarted.
1. Get a good hosting company
The WordPress platform can be run from a local server or managed through a cloud hosting environment. For the purpose of maintaining a secure system, the hosted option is preferred. The best WordPress hosts on the market offer SSL encryption and other forms of security protection.
When configuring a hosted WordPress environment, it is critical to enable an internal firewall that secures connections between your application server and other network layers. A firewall checks the validity of all requests between layers to ensure that only legitimate requests are allowed to be processed.
2. Keep themes and plug-ins updated
The WordPress community is filled with third-party developers who are constantly working on new themes and plug-ins to leverage the power of the CMS platform. These add-ons can be free or paid. Plug-ins and themes should always be downloaded directly from the WordPress.org website.
External plug-ins and themes can be risky because they contain code that runs on your application server. Trust only add-ons that come from a reliable source and developer. Moreover, you should regularly update plug-ins and themes because developers will release security enhancements.
Within the WordPress administrator console, the “Updates” tab is located at the very top of the “Dashboard” menu list.
3. Install a virus scanner and VPN
If you are using WordPress in a local environment or have full server access through your hosting provider, be sure that a robust virus scanner is active on your operating system. Free tools to scan your WordPress site, such as Virus Total, will check all sources for vulnerabilities.
When connecting to your WordPress environment from a remote location, you should always use a virtual private network (VPN) client, which ensures that all data communication between your local computer and the server is fully encrypted.
4. Lockdown against Brute Force attacks.
One of the most popular and common WordPress attacks takes the form of so-called brute force attacks. This is nothing more than an automated program released by a hacker at the “front door. He sits there and tries thousands of different password combinations and often stumbles upon the right ones to make it worthwhile.
The good news is that there is an easy way to deter brute force. The bad news is that too many site owners do not apply the fix. Check out the All-in-One WP security and firewall. It is free and allows you to set a hard limit for login attempts. For example, after three attempts, the plug-in locks the site by that IP address for a preset length of time against further logins. You will also receive an e-mail notification that the lock function has been activated.
5. Two-Factor Authentication
This convenient method of securing your site depends on the fact that a hacker is unlikely to be able to take over two of your devices at the same time. For example, a computer AND a cell phone. Two-Factor Authentication (2FA) makes logging into your Web site a two-step process. As usual, you log in the normal way, but then you are asked to enter an additional code that is sent to your phone.
Smart, right? This extra step increases the security of your site exponentially by separating the login into several steps. Check out this list of free plug-ins that will help you set up 2FA. The hackers who thought they were trying to tamper with your site have probably already changed their minds.
Conclusion
While there is no such thing as a 100% secure website, there are plenty of steps you can take to protect your website. With the help of a good firewall, keeping your themes and plug-ins up-to-date and running a virus scan periodically can be hugely important.
It may help to think of Web site security as an eternal iterative process. There may never come a time when you step back and think it is “complete,” because the game between hackers and website defenders will never stop, with even officially sanctioned online players getting into the online surveillance business. Only by keeping yourself abreast of the latest threats and fending them off can you maintain cybersecurity and online privacy.
It is unfortunate that the world has to be this way, but accept it and move on. If you’ve never done it before, now would be a good time to find some respected cybersecurity news sites. Subscribe to their newsletter or at least pay regular visits. Get started by using Google (or the search engine of your choice) to search for “cybersecurity news.
Have a question, or more tips to add? Leave a comment and let us know.
